[strongSwan] Setting the virtual ip gateway?
noel at familie-kuntze.de
Thu Sep 18 19:27:43 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
You don't need to set a virtual gateway. Well, it's actually kind of senseless, because
in IPsec, you define a list of networks that are supposed to be tunneled.
The VPN server gets the client's traffic and routes it based on the routing table it has.
Hence, what you call "virtual gateway" is _always_ the VPN server.
You cannot make the VPN clients route it anywhere else.
About the virtual IP ranges:
The "ipsec pool"  tool can do that. You need to use an sql database for it though.
You could use an sqlite file for that.
Mit freundlichen Grüßen/Regards,
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 17.09.2014 um 23:31 schrieb Cindy Moore:
> I have two servers on our public network, let's call them nat and vpn.
> Vpn, naturally, has the strongswan vpn set up on it, etc. (if it
> matters, ubuntu 14.04 is installed on everything).
> Let's say the public network I have is 126.96.36.199/24 and nat is 188.8.131.52
> and vpn is 184.108.40.206
> So ordinarily, for a server that I put on the private network (let's
> say it's 220.127.116.11/24, and I give this server 18.104.22.168), I set its
> gateway to 22.214.171.124, and nat's /etc/network/interfaces and iptables
> are configured to treat 126.96.36.199 as the gateway for the 188.8.131.52/24
> So now I give vpn a handful of addresses from the private network to
> use (say 184.108.40.206-50).
> Therefore vpn hands out a virtual ip (say 220.127.116.11) on a successful
> connection. How does vpn also tell the new connection that its
> virtual gateway is now 18.104.22.168?
> I've gone over the ipsec.conf file and I'm not seeing where I can set
> this. Does the vpn server need to set up some kind of connection to
> 22.214.171.124 itself?
> I haven't set this up:
> iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -m policy --dir
> out --pol ipsec -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.0.3.0/24 -o eth0 -j MASQUERADE
> (from https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> because server nat already has these in its iptables (in slightly
> different format).
> As an aside, is it at all possible to specify a set of available
> virtual ip addresses as a range rather than in CIDR format? I've
> basically been given 126.96.36.199 - 188.8.131.52 which works out to
> 184.108.40.206/31,220.127.116.11/29,18.104.22.168/28,22.214.171.124/26,126.96.36.199/29 in
> CIDR format (facepalm)
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users